thomasbinder
diff --git a/‎README.md
Lines changed: 8 additions & 8 deletions b/‎README.md
Lines changed: 8 additions & 8 deletions
diff --git a/‎exchange/docs-conceptual/app-only-auth-powershell-v2.md
Lines changed: 28 additions & 25 deletions b/‎exchange/docs-conceptual/app-only-auth-powershell-v2.md
Lines changed: 28 additions & 25 deletions
@@ -4,7 +4,7 @@
 
 This repository holds reference content of Office PowerShell cmdlets for help purpose. The expert knowledge around Office PowerShell is distributed among customers, MVPs, partners, product teams, support, and other community members. Consumers have various preferences when consuming knowledge such as a website, PowerShell Get-Help, Windows app, iOS app, Android app, and others. The following diagram illustrates the point.
 
-![Contribution and Consumption model for Office PowerShell reference content](images/contrib-consumption-model.png)
+![Contribution and Consumption model for Office PowerShell reference content.](images/contrib-consumption-model.png)
 
 ## Learn How To Contribute
 
@@ -19,19 +19,19 @@ Contributors who only make infrequent or small updates can edit the file directl
 
 This brief video also covers how to contribute:
 
-[![Image of Quick Start video](images/edit_video_capture.jpg)](https://support.office.com/article/edit-powershell-cmdlet-in-github-dcd20227-3764-48ce-ad6e-763af8b48daf)
+[![Image of Quick Start video.](images/edit_video_capture.jpg)](https://support.office.com/article/edit-powershell-cmdlet-in-github-dcd20227-3764-48ce-ad6e-763af8b48daf)
 
 ### Quickly update an article using GitHub.com
 
 1. Make sure you're signed in to GitHub.com with your GitHub account.
 2. Go to the page you want to edit on docs.microsoft.com.
 3. On the right-hand side of the page, click **Edit** (pencil icon).
 
-   ![Edit button on docs.microsoft.com](images/quick-update-edit.png)
+   ![Edit button on docs.microsoft.com.](images/quick-update-edit.png)
 
 4. The corresponding topic file on GitHub opens, where you need to click the **Edit this file** pencil icon.
 
-   ![Edit button on github.com](images/quick-update-github.png)
+   ![Edit button on github.com.](images/quick-update-github.png)
 
 5. The topic opens in a line-numbered editing page where you can make changes to the file.
 
@@ -45,7 +45,7 @@ This brief video also covers how to contribute:
 
    - Since you are likely not a maintainer of the Git repository, GitHub will automatically 'Fork' the project into your personal GitHub account. A fork is a copy of the repository in your git account. By forking, you can freely make edits without affecting the original repository. You can always find it again by looking at your GitHub Repositories in your GitHub Profile (drop-down from your name in the top right).
 
-     ![Image of Automatic Fork message on Github](images/auto_fork.png)
+     ![Image of Automatic Fork message on Github.](images/auto_fork.png)
 
 6. You can click the **Preview changes** tab to see what the changes will look like.
 
@@ -56,15 +56,15 @@ This brief video also covers how to contribute:
 
    When you're ready, click the green **Propose file change** button.
 
-   ![Propose file change section](images/propose-file-change.png)
+   ![Propose file change section.](images/propose-file-change.png)
 
 8. On the **Comparing changes** page that appears, click the green **Create pull request** button.
 
-   ![Comparing changes page](images/comparing-changes-page.png)
+   ![Comparing changes page.](images/comparing-changes-page.png)
 
 9. On the **Open a pull request** page that appears, click the green **Create pull request** button.
 
-   ![Open a pull request page](images/open-a-pull-request-page.png)
+   ![Open a pull request page.](images/open-a-pull-request-page.png)
 
 > [!NOTE]
 > Your permissions in the repo determine what you see in the last several steps. People with no special privileges will see the **Propose file change** section and subsequent confirmation pages as described. People with permissions to create and approve their own pull requests will see a similar **Commit changes** section with extra options for creating a new branch and fewer confirmation pages.<br/><br/>The point is: click any green buttons that are presented to you until there are no more.
 
@@ -28,6 +28,9 @@ Because storing user credentials locally is not a safe practice, we're releasing
 
 The following examples show how to use the Exchange Online PowerShell V2 module with app-only authentication:
 
+> [!IMPORTANT]
+> In the **Connect-ExchangeOnline** commands, be sure to use an `.onmicrosoft.com` domain in the _Organization_ parameter value. Otherwise, you might encounter cryptic permission issues when you run commands in the app context.
+
 - Connect using a local certificate:
 
   ```powershell
@@ -51,10 +54,7 @@ The following examples show how to use the Exchange Online PowerShell V2 module
   When you use the _Certificate_ parameter, the certificate does not need to be installed on the computer where you are running the command. This parameter is applicable for scenarios where the certificate object is stored remotely and fetched at runtime during script execution.
 
 > [!TIP]
->
-> - In the **Connect-ExchangeOnline** commands, be sure to use an `.onmicrosoft.com` domain in the _Organization_ parameter value. Otherwise, you might encounter cryptic permission issues when you run commands in the app context.
->
-> - App-only authentication does not support delegation. Unattended scripting in delegation scenarios is supported with the Secure App Model. For more information, go [here](/powershell/partnercenter/multi-factor-auth#exchange).
+> App-only authentication does not support delegation. Unattended scripting in delegation scenarios is supported with the Secure App Model. For more information, go [here](/powershell/partnercenter/multi-factor-auth#exchange).
 
 ## How does it work?
 
@@ -97,6 +97,9 @@ For a detailed visual flow about creating applications in Azure AD, see <https:/
    - Exchange administrator
    - Global Reader
 
+   > [!NOTE]
+   > The Global administrator and Exchange administrator roles provide the necessary permissions for any Exchange-related tasks, including recipient management and protection features (anti-spam, anti-malware, etc). The Security administrator role doesn't not have the necessary permissions for these same Exchange-related tasks.
+
 ## Appendix
 
 ## Step 1: Register the application in Azure AD
@@ -107,15 +110,15 @@ For a detailed visual flow about creating applications in Azure AD, see <https:/
 
 2. Under **Manage Azure Active Directory**, click **View**.
 
-   ![Click View in the Azure AD portal under Manage Azure Active Directory](media/exo-app-only-auth-manage-ad-view.png)
+   ![Click View in the Azure AD portal under Manage Azure Active Directory.](media/exo-app-only-auth-manage-ad-view.png)
 
 3. On the **Overview** page that opens, under **Manage**, select **App registrations**.
 
-   ![Select App registrations](media/exo-app-only-auth-select-app-registrations.png)
+   ![Select App registrations.](media/exo-app-only-auth-select-app-registrations.png)
 
 4. On the **App registrations** page that opens, click **New registration**.
 
-   ![Select New registration on the App registrations page](media/exo-app-only-auth-new-app-registration.png)
+   ![Select New registration on the App registrations page.](media/exo-app-only-auth-new-app-registration.png)
 
    On the **Register an application** page that opens, configure the following settings:
 
@@ -127,7 +130,7 @@ For a detailed visual flow about creating applications in Azure AD, see <https:/
 
      Note that you can't create credentials for [native applications](/azure/active-directory/manage-apps/application-proxy-configure-native-client-application), because you can't use that type for automated applications.
 
-     ![Register an application](media/exo-app-only-auth-register-app.png)
+     ![Register an application.](media/exo-app-only-auth-register-app.png)
 
    When you're finished, click **Register**.
 
@@ -140,7 +143,7 @@ For a detailed visual flow about creating applications in Azure AD, see <https:/
 
 1. On the app page under **Management**, select **Manifest**.
 
-   ![Select Manifest on the application properties page](media/exo-app-only-auth-select-manifest.png)
+   ![Select Manifest on the application properties page.](media/exo-app-only-auth-select-manifest.png)
 
 2. On the **Manifest** page that opens, find the `requiredResourceAccess` entry (on or about line 44).
 
@@ -164,33 +167,33 @@ For a detailed visual flow about creating applications in Azure AD, see <https:/
 
 3. Still on the **Manifest** page, under **Management**, select **API permissions**.
 
-   ![Select API permissions on the application properties page](media/exo-app-only-auth-select-api-permissions.png)
+   ![Select API permissions on the application properties page.](media/exo-app-only-auth-select-api-permissions.png)
 
    On the **API permissions** page that opens, do the following steps:
 
    - **API / Permissions name**: Verify the value **Exchange.ManageAsApp** is shown.
 
    - **Status**: The current incorrect value is **Not granted for \<Organization\>**, and this value needs to be changed.
 
-     ![Original incorrect API permissions](media/exo-app-only-auth-original-permissions.png)
+     ![Original incorrect API permissions.](media/exo-app-only-auth-original-permissions.png)
 
      Select **Grant admin consent for \<Organization\>**, read the confirmation dialog that opens, and then click **Yes**.
 
      The **Status** value should now be **Granted for \<Organization\>**.
 
-     ![Admin consent granted](media/exo-app-only-auth-admin-consent-granted.png)
+     ![Admin consent granted.](media/exo-app-only-auth-admin-consent-granted.png)
 
 4. Close the current **API permissions** page (not the browser tab) to return to the **App registrations** page. You'll use it in an upcoming step.
 
 ## Step 3: Generate a self-signed certificate
 
 Create a self-signed x.509 certificate using one of the following methods:
 
-- (Recommended) Use the [New-SelfSignedCertificate](/powershell/module/pkiclient/new-selfsignedcertificate), [Export-Certificate](/powershell/module/pkiclient/export-certificate) and [Export-PfxCertificate](/powershell/module/pkiclient/export-pfxcertificate) cmdlets in an elevated (run as administrator) Windows PowerShell session to request a self-signed certificate and export it to `.cer` and `.pfx` (SHA1 by default). For example:
+- (Recommended) Use the [New-SelfSignedCertificate](/powershell/module/pki/new-selfsignedcertificate), [Export-Certificate](/powershell/module/pki/export-certificate) and [Export-PfxCertificate](/powershell/module/pki/export-pfxcertificate) cmdlets in an elevated (run as administrator) Windows PowerShell session to request a self-signed certificate and export it to `.cer` and `.pfx` (SHA1 by default). For example:
 
   ```powershell
   # Create certificate
-  $mycert = New-SelfSignedCertificate -DnsName "contoso.org" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange
+  $mycert = New-SelfSignedCertificate -DnsName "contoso.org" -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange
 
   # Export certificate to .pfx file
   $mycert | Export-PfxCertificate -FilePath mycert.pfx -Password $(ConvertTo-SecureString -String "P@ssw0Rd1234" -AsPlainText -Force)
@@ -217,25 +220,25 @@ After you register the certificate with your application, you can use the privat
    2. Under **Manage Azure Active Directory**, click **View**.
    3. Under **Manage**, select **App registrations**.
 
-   ![Apps registration page where you select your app](media/exo-app-only-auth-app-registration-page.png)
+   ![Apps registration page where you select your app.](media/exo-app-only-auth-app-registration-page.png)
 
 2. On the application page that opens, under **Manage**, select **Certificates & secrets**.
 
-   ![Select Certificates & Secrets on the application properties page](media/exo-app-only-auth-select-certificates-and-secrets.png)
+   ![Select Certificates & Secrets on the application properties page.](media/exo-app-only-auth-select-certificates-and-secrets.png)
 
 3. On the **Certificates & secrets** page that opens, click **Upload certificate**.
 
-   ![Select Upload certificate on the Certificates & secrets page](media/exo-app-only-auth-select-upload-certificate.png)
+   ![Select Upload certificate on the Certificates & secrets page.](media/exo-app-only-auth-select-upload-certificate.png)
 
    In the dialog that opens, browse to the self-signed certificate (`.cer` file) that you created in [Step 3](#step-3-generate-a-self-signed-certificate).
 
-   ![Browse to the certificate and then click Add](media/exo-app-only-auth-upload-certificate-dialog.png)
+   ![Browse to the certificate and then click Add.](media/exo-app-only-auth-upload-certificate-dialog.png)
 
    When you're finished, click **Add**.
 
    The certificate is now shown in the **Certificates** section.
 
-   ![Application page showing that the certificate was added](media/exo-app-only-auth-certificate-successfully-added.png)
+   ![Application page showing that the certificate was added.](media/exo-app-only-auth-certificate-successfully-added.png)
 
 4. Close the current **Certificates & secrets** page, and then the **App registrations** page to return to the main <https://portal.azure.com/> page. You'll use it in the next step.
 
@@ -255,26 +258,26 @@ For general instructions about assigning roles in Azure AD, see [View and assign
 
 1. On the Azure AD portal at <https://portal.azure.com/>, under **Manage Azure Active Directory**, click **View**.
 
-   ![View in the Azure AD portal under Manage Azure Active Directory](media/exo-app-only-auth-manage-ad-view.png)
+   ![View in the Azure AD portal under Manage Azure Active Directory.](media/exo-app-only-auth-manage-ad-view.png)
 
 2. On the **Overview** page that opens, under **Manage**, select **Roles and administrators**.
 
-   ![Select Roles and administrators from the overview page](media/exo-app-only-auth-select-roles-and-administrators.png)
+   ![Select Roles and administrators from the overview page.](media/exo-app-only-auth-select-roles-and-administrators.png)
 
 3. On the **Roles and administrators** page that opens, find and select one of the supported roles by _clicking on the name of the role_ (not the check box) in the results.
 
-   ![Find and select a supported role by clicking on the role name](media/exo-app-only-auth-find-and-select-supported-role.png)
+   ![Find and select a supported role by clicking on the role name.](media/exo-app-only-auth-find-and-select-supported-role.png)
 
 4. On the **Assignments** page that opens, click **Add assignments**.
 
-   ![Select Add assignments on the role assignments page](media/exo-app-only-auth-role-assignments-click-add-assignments.png)
+   ![Select Add assignments on the role assignments page.](media/exo-app-only-auth-role-assignments-click-add-assignments.png)
 
 5. In the **Add assignments** flyout that opens, find and select the app that you created in [Step 1](#step-1-register-the-application-in-azure-ad).
 
-   ![Find and select your app on the Add assignments flyout](media/exo-app-only-auth-find-add-select-app-for-assignment.png)
+   ![Find and select your app on the Add assignments flyout.](media/exo-app-only-auth-find-add-select-app-for-assignment.png)
 
    When you're finished, click **Add**.
 
 6. Back on the **Assignments** page, verify that the app has been assigned to the role.
 
-   ![The role assignments page after to added the app to the role](media/exo-app-only-auth-app-assigned-to-role.png)
+   ![The role assignments page after to added the app to the role.](media/exo-app-only-auth-app-assigned-to-role.png)